Address CVEs Using Red Hat Advanced Cluster Management Governance Policy Framework
February 4, 2021 | by
Red Hat Advanced Cluster Management for Kubernetes governance policy framework is designed to help improve the security of the managed clusters, including the management ofCVEs. There are recent vulnerability concerns within Kubernetes,CVE-2020-8554 Man in the Middle using LoadBalancer or External IPswas recently discovered . This vulnerability affects multitenant clusters and currently there is no single solution for users. The main concern is if a potential attacker already has the privileges to create or edit services and pods, then they may be able to seize traffic from other pods (or nodes) in the cluster. This issue is a design flaw, but it can be mitigated with a potential solution presented in this blog.
The good news is that OpenShift Container Platform 4.x and Red Hat Advanced Cluster Management are not affected by this CVE, but we want to help your managed clusters remain safe from this vulnerability. Developers created a solution by using the Red Hat Advanced Cluster Management policy framework to contribute the Gatekeeper allowed External IP security policy to the open source community (policy-gatekeeper-allowed-external-ips.yaml). The security policy was implemented in order to mitigate the Kubernetes vulnerability, CVE-2020-8554.
By using the Gatekeeper allowed External IP policy, externalIPs are locked to assist in hardening your managed clusters. Using the YAML template provided in thepolicy-collectionrepository allows the option to identify which external IPs are allowed for your managed clusters, and in turn can also restrict external IPs as well. To use thepolicy-gatekeeper-allowed-external-ips.yaml, you must install the Gatekeeper controller in order to use the gatekeeper policy. For more information about installing the Gatekeeper controller see thegatekeeperrepository.
In conclusion, this CVE has been a long standing issue for the Kubernetes project, which was fixed in OpenShift Container Platform 3.11 and addressed inOpenShift Container Platform 4. Fortunately, theopen-cluster-managementcommunity policy,policy-gatekeeper-allowed-external-ips.yamlcan be used to help address the CVE. Check out the open source community,open-cluster-managementfor other policies that can be applied to enhance the security of your managed clusters, and help you meet your governance, risk, and compliance requirements.